Significant WinRAR vulnerability identified

An expert says that the popular compression tool WinRAR contains a significant vulnerability that exposes it to an attack.

A security researcher based in Iran has uncovered a remote code execution vulnerability in the WinRAR SFX v5.21 software.

Mohammad Reza Espargham, from the APA Center of Yazd University, said the defect makes it possible for cybercriminals to deploy “system specific code” to compromise a system.

He explained that the vulnerability is situated in the “Text and Icon” function of the “Text to display in SFX” module.

“Remote attackers are able to generate [their] own compressed archives with malicious payloads to execute system specific codes for compromise,” Mr Espargham elaborated.

“The attackers saved in the SFX archive input the malicious generated html code. This results in a system specific code execution when a target user or system is processing to open the compressed archive.”

He said that the risk posed by this flaw was “critical” and attributed it a cvss (common vulnerability scoring system) count of 9.2.

The expert said that there is a solution to the defect, which can be resolved through a “secure parse and encode of the url value parameter in the outgoing module GET method request”.

Furthermore, Mr Espargham stated, it is important that you limit the input and prevent special characters. Filtering the input to block “further client-side cross site scripting attacks”, is also recommended.

In response to this revelation, the team at WinRAR said that in general, executable files are “potentially dangerous by design”.

“WinRAR self-extracting archive is an executable file,” it stated in an official statement.

“User is not able to easily verify if executable part is a genuine WinRAR SFX module or some other code, so any malicious code can be included immediately to executable module of SFX archive.”

Additionally, the statement continued, cybercriminals are able to take an executable file and “prepend it to archive and distribute to users”.

This alone, it was keen to highlight, makes the discussion of susceptibilities in SFX archives “useless”.